Converse agora com nosso suporte
Chat com o suporte

One Identity Safeguard for Privileged Passwords 7.5 - Administration Guide

Introduction System requirements and versions Using API and PowerShell tools Using the virtual appliance and web management console Cloud deployment considerations Setting up Safeguard for Privileged Passwords for the first time Using the web client Home page Privileged access requests Appliance Management
Appliance Backup and Retention Certificates Cluster Global Services External Integration Real-Time Reports Safeguard Access Appliance Management Settings
Asset Management
Account Automation Accounts Assets Partitions Discovery Profiles Tags Registered Connectors Custom platforms Importing objects
Security Policy Management
Access Request Activity Account Groups Application to Application Cloud Assistant Asset Groups Entitlements Linked Accounts User Groups Security Policy Settings
User Management Reports Disaster recovery and clusters Administrator permissions Preparing systems for management Troubleshooting Frequently asked questions Appendix A: Safeguard ports Appendix B: SPP and SPS join guidance Appendix C: Regular Expressions

Identity and Authentication

SPP allows you to create various types of identity and authentication providers to integrate with existing directory services. This helps you to effectively manage users and how they will log in to Safeguard. You can create providers for Active Directory, LDAP 2.4, any SAML 2.0 federated service, or Radius.

Go to Identity and Authentication:

  • web client: Navigate to Appliance Management > Safeguard Access > Identity and Authentication.

The Identity and Authentication pane displays the following details about the identity and authentication providers defined.

Table 62: Identity and Authentication: Properties
Property Description
Name

The name assigned to the identity or authentication provider. Names are assigned by the administrator that creates the identity or authentication provider. Depending on the provider type, the name may be displayed in a drop-down list on the login page, with exception of Active Directory, External Federation, and any 2FA provider.

Type

Types of identity and authentication providers follow. There are valid primary and secondary authentication combinations. For more information, see Authentication provider combinations..

  • Active Directory
  • LDAP
  • External Federation
  • Radius (use as a secondary authentication provider)
  • Radius as Primary (use as a primary authentication provider)
  • FIDO2
  • OneLogin MFA
  • SCIM

Description

Enter any descriptive information to use for administrative purposes.

Login Provider ID

A system generated identifier that can be used when integrating with third-party or other custom software or automation scripts. For information on accessing the SPP API, see Using the API.

NOTE: When integrating with Safeguard for Privileged Sessions, you can effectively enable Single Sign-On (SSO) between the two applications by creating and using the same SAML2 external federation login provider in both. This Login Provider ID value from SPP must then be entered into the Safeguard for Privileged Sessions Script Reference field when creating the matching SAML2 login method.

Use these toolbar buttons to manage identity and authentication provider configurations.

Table 63: Identity and Authentication: Toolbar
Option Description
Add

Add a identity or authentication provider configuration. For more information, see Adding identity and authentication providers..

Remove

Remove the selected identity or authentication provider. The provider can be deleted if there are no associated users.

Edit

Modify the selected identity or authentication provider.

Syncronize Now

Run the directory addition (incremental) synchronization process for directory users (identity providers) and directory user groups. All changes except for deletions are synced. A Tasks window displays the progress and outcome of the task. You can click Details to see more information or click Stop to cancel the task.

The directory deletion and addition (full) synchronization process must be run from the API (IdentityProviders/Synchronize).

Update Signing Certificates and Metadata

For external federation providers that have been configured with a URL pointing to the metadata, you can manually trigger SPP to request the metadata from the URL if you know it has changed and don't want to wait for the daily automatic update. This may be necessary in cases where the external STS doesn't support having multiple active signing certificates and you want to minimize any downtime from not being able to log in.

Download Safeguard Federation Metadata

Download a copy of SPP's Federation Metadata XML file. You will need this file to create the corresponding trust relationship on your STS server. The federation metadata XML file typically contains a digital signature and cannot be modified in any way, including white space. If you receive an error regarding a problem with the metadata, ensure the file has not been edited.

Refresh

Update the list of identity and authentication providers.

Authentication provider combinations

Some authentication providers can only be used for primary authentication and others can only support secondary authentication. See the table that follows for details on allowable authentication provider combinations.

It is the responsibility of either the Authorizer Administrator or the User Administrator to configure a user account to use two-factor authentication when logging into SPP. For more information, see Requiring secondary authentication log in..

Using Local as the identity provider
Table 64: Allowable local identity provider combinations

Primary authentication

Secondary

authentication

Local: The specified login name and password will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

Certificate: The specified certificate thumbprint will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

Radius: The specified login name will be used for authentication.

NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

OneLogin MFA

Active Directory

LDAP

FIDO2

Using Active Directory as the identity provider
Table 65: Allowable Active Directory identity provider combinations

Primary authentication

Secondary

authentication

Active Directory: The samAccountName or X509 certificate will be used for authentication.

NOTE: The user must authenticate against the domain from which their account exists.

None

OneLogin MFA

Radius

LDAP

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

Radius: The specified login name will be used for authentication.

NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

OneLogin MFA

Active Directory

LDAP

FIDO2

Using LDAP as the identity provider
Table 66: Allowable LDAP identity provider combinations

Primary authentication

Secondary

authentication

LDAP: The specified username attribute will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

Radius : The specified login name will be used for authentication.

NOTE: The Radius server may be configured to integrate with your company's existing identity and authentication solution and may provide its own means of two-factor authentication.

None

OneLogin MFA

Active Directory

LDAP

FIDO2

Using Starling as the identity provider
Table 67: Allowable Starling identity provider combinations

Primary authentication

Secondary

authentication

Starling

None

Using SCIM as the identity provider
Table 68: Allowable SCIM identity provider combinations

Primary authentication

Secondary

authentication

Local: The specified username and password will be used for authentication.

NOTE: A SPP user administrator must manually set the password for any newly provisioned SCIM users.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

External Federation: The specified email address or name claim will be used for authentication.

None

OneLogin MFA

Radius

Active Directory

LDAP

FIDO2

Adding identity and authentication providers

It is the responsibility of the Appliance Administrator to add directories to Safeguard for use as identity and authentication providers.

If Active Directory forests have more than one domain, select the domain to use for identity and authentication and to display on the logon screen. It is the responsibility of an Appliance Administrator to create an External Federation or Radius provider to use for authentication.

To add identity and authentication providers

  1. Go to Identity and Authentication:
    • web client: Navigate to Safeguard Access > Identity and Authentication.
  2. Click Add.
  3. Click the provider:

Branding Customization

The Appliance Administrator can customize the login page and application for their users. Any customization must be configured on the primary, however any customization will also appear on replicas.

To customize the branding used on the login page and application header

  1. Navigate to Appliance Management > Safeguard Access > Branding.
  2. Select Custom Branding.
  3. In the Login Page section, the Title field allows you to enter a name for the application (up to 50 characters long) that will appear on the login page.
  4. For the Title Size, enter the font size in pixels to use for the application name. By default this is 36 px.
  5. To customize the display colors, click the box beneath each field name to open a color selector dialog:
    1. Title Color
    2. Background Color
    3. Page Text Color
  6. Click the Upload Logo button to select a logo file to use for the login page (256KB max file size; recommended width: 160px to 400px, height 160px to 200px). Once uploaded, the uploaded logo will be displayed beneath the Page Text Color field.
  7. In the Application Header section, the Title field allows you to enter the display name (up to 50 characters long) that will be used within the header of the application.
  8. Click the Upload Logo button to select a logo file to use within the header of the application (256KB max file size; recommended width: 48px to 150px, height 48px to 64px). Once uploaded, the uploaded logo will be displayed beneath the Title field.
  9. Click Save.

    After saving, you can view the changes using the Review Login Page Customization or Review Application Customization buttons.

NOTE: You can select the Safeguard Branding option at the top of the page and click Save to remove any configured customizations and restore the SPP branding. After clicking Save you will be prompted for confirmation.

Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação